Friday, 12 April 2019

Extract NTFS permission ACL for Listed folder path

Short Story: - 
         
           I had received requirement to extract ACL (Permission entries )  information for the given folder paths which was indeed needed for the ACL clean-up project which we were running.

          So, what I did ???

Launch the "POWERSHELL ISE" and started thinking about the requirement. I know we can get the ACl information using "GET-ACL" cmdlet. So, it make easy for me to build a script with that main cmdlet.

 Challenge: 

           One challenge was to extracted information should be in Excel format with path information, ACLs with rights information

Solution: -

           I used the basic for loop method with Get-ACL cmdlet and I have to manipulate the output of cmdlet using Select with hastable customization.

           Since, most of the machine were not running PS version 3.0, I have not used the "Export-csv -append" parameter to append the each folder ACL information to CSV file

          Instead, i have to append information to the Variable and then finally at the end of the loop, Export the output to CSV file using Export-csv cmdlet

Powershell Script: -



<#
.SYNOPSIS
    List the folder permission entries for the given list of folders
   
.SYNTAX
    Script Execution Syntax is provided below. Please don't forgot create the Input file and call the input file during the script execution
   
    How to Execute the Script :
   
    .\ACL_Extract_RootFoldersonly.ps1 -InputFile .\folderlist.txt

     
.DESCRIPTION
   
    . This Script is designed for the requirement to get the list of ACLs in the project root directory for access clean-up purpose.
    . Script only looks for the
     
.PARAMETER
    -Inputfile
        This file should contain folder names each in separate line. If possible include full path or your have to copy the script location the folders are exist
        . This parameter Value is mandatory to be provided while executing the script.
   
    Ex:
    c:\projet\folder1
    c:\projet\folder1
 
     ( or )
   Folder1
   Folder2 


.EXAMPLE

    .\ACL_Extract_RootFoldersonly.ps1 -InputFile .\folderlist.txt


.Notes
   Script is created and tested in test facility. Ready all the information carefully and use in your environment with test users before
   using in Production.
   It works with Powershell Version 2.0

.Modifications
   Script Initially created by : Murugan Natarjaan / murugan.natarajan@outlook.com
   Date of Initial Version     : 04/Apr/2019
 
#>

Param(
   
    $InputFile = '.\folderlist.txt'
   
)

$folders = Get-Content $InputFile

# Loop each folder path and get the ACl information and store in the variable named "output" with append operation, so that it can be simply exported
# to CSV file for our requiremnet for easy view.

Foreach ($folder in $folders){
 
    $output+=Get-Acl $folder | select -ExpandProperty access | select @{label='FolderName';Expression={$folder}},identityreference,filesystemrights
     

}

# Every time the report.csv is replaced with latest content ( No append operation here )

$output | Export-Csv Report.csv -NoTypeInformation



Posted by at No comments:

User password expiry date identify ( Even if you have FPP deployed for user )

Short Story about issue: -

           Everyone might be already aware that we can get the basic information user attribute information using "net user" command,

           for example : Net User /dom mnatarajan

Which give useful information like when password last set, when it's expiring and when the password can be changeable all based on the password policy applied.

          I came across an issue that when I query similar information for an user where the specific "Fine-Grained Password policy" is applied, the native tool gives me the information for the "Default domain password policy" instead of FPP policy calculated information.

Solution: -

         To get the password expire date, i have to get few details of user and process to check whether FPP is applied or default password policy is applied and then calculate the password expire date for an user.

PS Script Detail: -


# Identify the Next possible password expire date for user

# Global Parameter defining, you can also execute script like below example
# Example: .\Calc_User_passwordExpiry_Date.ps1 -inputuser 'mnatarajan'
# Created by Murugan Natarajan /DXC
# Mail address: mnatarajan24@dxc.com

    param(
   
    $Inputuser = 'mnatarajan'

    )
   
    # Validate Simple check for user existance in domain, if does not exist, EXIT the script.


    If ((Get-Aduser $inputuser) -eq $null){

        Write-Output "$Inputuser does exist in default domain, validate user name in input"
        EXIT
       
    }
   
   
    # Check if user has FPP setup

    $fppcheck= Get-ADUserResultantPasswordPolicy $Inputuser
       
    # Calling user Password last set attribute

    $passlastset= Get-ADUser $Inputuser -pr passwordlastset | select -ExpandProperty passwordlastset

    # If User is not applied with FPP, then take value of default user password  to variable and compare with user last password set time

        If($fppcheck -eq $null)  {
       
            $DefaultCheck= Get-ADDefaultDomainPasswordPolicy

            $collectMaxpassage= $DefaultCheck.MaxPasswordAge.Days
            $DefaultUserPassExpireson = $passlastset.AddDays($collectMaxpassage)

            Write-Output "Password Expires for $Inputuser on $DefaultUserPassExpireson (Default Domain Password Policy)"

        }
       
        # If FPP is applied for the given user, then taken info from FPP and process with last password set time

        else {
       
            $Fppmaxpassage= $fppcheck.MaxPasswordAge.Days
            $FppuserPassExpire= $passlastset.AddDays($Fppmaxpassage)
            $Fppname = $Fppcheck.name
            Write-Output "Password Expires for $Inputuser on $FppuserPassExpire _FPP-Applied $Fppname"
       
        }





Posted by at No comments:

Wednesday, 16 August 2017

Delegate permission to retrieve the Bit-Locker keys



Hello Guys,

We started the work to clean up users from the privileged groups like “Domain Admins and Enterprises Admins” group.

Yes, it’s good idea to have only limited persons only on these groups. But lots of users who are removed from these groups started complaining that they lots their access to the shares, bit-locker key retrieval and unable to do basic tasks like password reset, unlock account and group membership changes.


So, as first step we granted the share and delegated rights for basic tasks, but I was only stuck with granting rights to Bit-Locker password key retrieval.

Have setup the Delegation of wizard at domain level to the particular group and granted the rights to Read permission to the ms-FVE-Recoveryinformaiton objects.

How to grant rights through Delegation wizard ?

1) Start the Delegation wizard at domain level





2) Select the Bit-Locker Support group


3) Select create custom task to delegate

                                                                                                                                                                       

4) Select the "msFVE-RecoveryInformation" in the "Only the following objects in the folder"


                                               
5) Select the "Read all properties"

                                      
6) Finish the Delegation wizard.

                                             
Now add the users required desktop admins to the Bit-Locker support group
Ask them to install RSAT tools for AD and Bit-locker support tools on their management system


Now, they should be able to view the Bit-Locker password information after launching the DSA.msc console. New tab should be visible in the console

Note:  You may noticed that there are no items in this view in the below snapshot, but it's ok because it's my test machine where Bit-locker is not installed. 




Posted by at No comments:
Subscribe to: Posts (Atom)